mailing list archives
Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)
From: "Daniel Kachakil" <dani () kachakil com>
Date: Sun, 8 Feb 2009 14:28:27 +0100
Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi
"injection technique/method" (is there a better name for it?) will not help
you to extract more data than other existing techniques.
The XMLSCHEMA option is only an alternative way to get the column names
(instead of using SYSOBJECTS, for instance). Maybe it can also bypass some
basic filters (e.g. there is no need to use the WHERE clause), but this is
The main difference is this:
- Time-based SQL injection: 1 request -> 1/2 char using Deep Blind (but
- Blind SQL injection: 1 request -> 1/7 char
- Union / error-based SQL injection: 1 request -> 1 field
- SFX-SQL injection: 1 request -> 1 table
So yes, this technique will extract the same data, but thousands of times
faster than other methods.
From: "Paul Schmehl" <pschmehl_lists () tx rr com>
Sent: Sunday, February 08, 2009 5:10 AM
To: <full-disclosure () lists grok org uk>
Cc: "Daniel Kachakil" <dani () kachakil com>
Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for
SQL Server (dumps a table in one request!)
--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil
<dani () kachakil com> wrote:
I have written a paper describing how the technique works and in which
fundamentals it is based, and I have also developed a tool which
this technique as a proof of concept (with the source code included).
You can get them through this URL:
Having read your paper, I'm a bit confused about what you think the "new
SQL injection technique" is that you've discovered. I understand you have
determined a way to *extract* data in a more compact and efficient format,
but I didn't see any new *injection* technique. IOW, the FOR XML
construct isn't going to assist you in obtaining the data - only in
obtaining it more efficiently.
Did I miss something?
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/